Privacy

Morris Group - Introduction

We respect your privacy and are committed to protecting your personal information. This privacy policy will explain to you why we collect your personal information, how we do it and the way in which it is processed or shared. A copy of this privacy policy can be obtained by requesting a paper copy from the Company Secretary at the postal address given below, however please note we may change this policy from time to time and so please ensure you have the correct version.

Who We Are

The Morris Group is made up of a number of companies, including Morris & Company (Shrewsbury) Limited, Morris & Company Limited, Morris Site Machinery Limited, Morris Care Limited and Morris Property Limited (and their subsidiaries), further details of which can be found here. This privacy policy is issued on behalf of the Morris Group and the Morris’s Employees’ Discretionary Trust (“the Trust”). References to” We", "Us" or “Our" for the purpose of this policy means the relevant company in the Morris Group or the Trust whichever entity is processing your information.

The “Controller” for the purposes of this policy is Morris & Company Limited. You will be informed which company in the Morris Group is processing your information when appropriate.

We have a data protection officer (DPO) who is responsible for overseeing this policy. Therefore, any questions about this privacy policy or any requests to exercise your legal rights should be directed to the DPO as follows:

If you are concerned about how your data is being gathered, processed stored or deleted, please contact the DPO immediately. You are entitled to submit a complaint to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk), at any time.

The Information we process

How Information is Collected

We use different methods to collect information from and about you including:

Direct interactions. You provide Us with your personal information either through the use of forms or general correspondence with Us. This includes any information provided when you:

- apply for products or services

- create an account;

- subscribe to a service or publications;

- request marketing information

- make an enquiry

- provide feedback to Us.

Automated technologies or interactions.

As you interact with our website, we may automatically collect Technical Information about your equipment, browsing actions and patterns. We collect this by using cookies, server logs and other similar technologies. We may also receive information about you if you visit other websites that employ our cookies. Please see our cookie policy for further details.

Third parties or publicly available sources.

We may receive personal information about you from various third parties and/or public sources as set out below

- Technical information from analytics providers such as Communigator and Google

- Identity and Contact information from publicly availably sources such as Companies House and the Electoral Register based inside the EU.

Where third parties provide information to Us about visitors to our website this is done by recording your IP address. This is then matched against public and proprietary IP address databases to provide information about your visit. This may identify the organisation to whom the IP address is registered but not specific individuals within the organisation aside from some organisations such as sole trader where this could occur from data obtained from publicly available sources such as the ICANN database.

Third-party links

Our website may include links to third-parties websites, plug-ins and/or applications. Clicking on external links or enabling connections may allow third parties to collect or share information about you. We do not control these third-parties and are not responsible for the protection of your personal information once you have left our site. Third party sites are not governed by this privacy policy.

What Information is Collected

We may collect, use, store and transfer the information categories set out below:

- Identity information such as your full name, username or identifier, marital status, title, date of birth and gender

- Contact information such as billing, delivery or email addresses and telephone numbers.

- Financial information such as bank account and payment details.

- Transaction information such as details about payments to and from you and other details of products and services you have purchased from Us.

- Technical information such as internet protocol (IP) address, login information, browser type/version, location / time zone, browser plug-in types/versions, operating system and platform and other technology on the devices you use to access this website.

- Usage information such as information about how you use our website, products and services.

- Marketing and Communications information such as your marketing/communication preferences in respect of correspondence from Us or third parties.

We also collect, use and share Aggregated information such as statistical or demographic information for any purpose. Aggregated information may be created from your personal information but as it does not directly or indirectly reveal your identity it is not classed as personal information for the purposes of this policy. An example would be Us aggregating your Usage Information to calculate the number of users accessing a specific website feature. If we combined or connected the Aggregated information with your personal information and you could be directly or indirectly identified this is personal information and will be used in accordance with this privacy policy.

Unless confirmed in writing with you we will not collect any Special Categories of Personal information about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, genetic/biometric information or criminal convictions/offences).

If you fail to provide Your personal information

If you fail to provide Us with the personal information we require by law, or under the terms of a contract we have with you, when requested, we may not be able to perform our duties under the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we will be unable to supply you with the relevant product or service and may have to cancel our contract with you. If this applies we will notify you.

Why We Collect the Information

We will only use your personal information for the legitimate interests of our business or where the law requires Us to do so, we will use your personal information in the following circumstances:

- To carry out our duties under a contract we have or are about to enter into with you

- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

- Where we need to comply with a legal or regulatory obligation.

- In respect of the residents of Morris Care where processing the information is necessary for their vital interests.

Generally, we do not rely on consent as a legal basis for processing your information. Consent will however be used when sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.

We have set out below, a description of the ways we plan to use your personal information, and the lawful basis we rely on to do so.

It may be that we process your information for more than one lawful ground depending on the specific purpose for which we are using your information. Please contact us if you need further information about the way in which we have processed your information.

Processing Activities

Table of Processing Activities (please note this table is not exhaustive)

To enable you to take part in a prize draw, competition, promotions/offers or complete a survey

- Identity

- Contact

- Profile

- Usage

- Marketing & Communications

- Performance of a contract with you

- Necessary for our legitimate interests (to study how customers use our prodycts/services, to develop them and grow our business)

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of information)

- Identity

- Contact

- Technical

- Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

- Necessary to comply with a legal obligation

To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising and information we serve to you

- Identity

- Contact

- Profile

- Usage

- Marketing & Communications

- Technical

- Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

Opting Out / Controlling the Marketing You receive

You have a choice as to the types of marketing materials you receive and how often you receive them. You can ask Us to stop sending you marketing communications at any time by following the opt-out links on any marketing message sent to you or by contacting us

Where you opt out of receiving these marketing communications, we will still hold any personal information provided to Us as a result of a product/service purchase, warranty registration, product/service experience or other transactions. You will have to contact us separately to request to have this information erased.

Promotional offers from Us

We may use your Identity, Contact, Technical, Usage and Profile Information to form a view on your product or service requirements and what marketing materials may be of interest to you. You will receive marketing communications from Us if you opted into to receiving communications from Us. This positive opt in will have been a decision made by you at the time of purchasing goods or services from Us, entering any competition held by Us, registering for a promotional offer or visiting the website and completing an opt in form.

Third-party marketing

We will get your express consent before we share your personal information with any company outside the Morris Group of companies for marketing purposes.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our cookie policy.

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to obtain an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows Us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Retention of Your Information

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements or to protect our legitimate business or legal interests.

By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Information) as required by any competent authority or to protect our legitimate business interests.

We may anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

In some circumstances you can ask Us to delete your information and any such requests should be made by contacting us

Sharing Information

Who We Share Your Information With

Although we will not sell or rent your information or provide it to third parties for marketing we may need to share your information with certain parties as set out below in order to comply with our purposes for processing.

- Internal Third Parties

o Other companies in the Morris Group acting as joint controllers or processors or the Trust

- External Third Parties

o Service providers acting as processors, based in the United Kingdom, who provide IT and system administration services.

o Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based in the EEA and, in the case of Morris Site Machinery Limited only, Australia who provide consultancy, banking, legal, insurance and accounting services.

o HM Revenue & Customs, Office of National Statistics, regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.

o Competent regulatory authorities such as the Care Quality Commission

o Marketing Analyst and Database providers such as Communigator, Vecta Sales Solutions Ltd and The Access Group

o In respect of our care facilities; review sites such as www.carehome.co.uk

- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If this were to happen any new owner(s) will only use your data for the purpose it has been gathered.

We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.

Sharing Your Information outside of the EEA

Some of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal information will involve a transfer of information outside the EEA.

Whenever we transfer your personal information out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information by the European Commission. For further details,

• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal information the same protection it has in Europe.

• Where we use providers based in the US, we may transfer information to them if they are part of the Privacy Shield which requires them to provide similar protection to personal information shared between the Europe and the US.

Please contact us if you want further information on the specific mechanism used by Us when transferring your personal information out of the EEA.

As part of the services we offer, information provided to Us may be transferred to countries outside of the European Union, for example, if our servers were relocated to such a country. By providing your information you are agreeing to a transfer and we can confirm we will take all appropriate steps to guarantee that security measures are in place to ensure that your rights are protected as outlined in this policy.

The Security of Your Information

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information for the reason it has been gathered and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Your Legal Rights

You have rights under data protection laws in relation to your personal information. These rights and further information relating to the same are set out below:

Request access to your personal information (commonly known as a "Subject Access Request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new information you provide to Us. It is important that the personal information we hold about you is accurate and current. Please keep Us informed if your personal information changes during your relationship with Us.

Request erasure of your personal information. This enables you to ask Us to delete or remove personal information where there is no good reason for Us continuing to process it. You also have the right to ask Us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party). If you feel this processing impacts on your fundamental rights and freedoms you may object to the processing. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal information. This enables you to ask Us to suspend the processing of your personal information in the following scenarios: (a) if you want Us to establish the accuracy of the information; (b) where our use of the information is unlawful but you do not want Us to erase it; (c) where you need Us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which you initially provided consent for Us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal information. This will not, however, affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us.

Subject Access Requests

You have the right to make a Subject Access Request (SAR) to find out what information we as a business hold on you. You would be entitled to:

- Ask what information we hold on them and why

- Ask how to gain access to it

- Gain access to it unless there is a legal reason denying this access

- Be informed how to keep it up to date

- Be informed how we are meeting out GDPR obligations

- Request for this information to be transferred or erased

No fee usually required

Ordinarily we will not ask you to pay a fee to access your personal information, however, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, in these circumstances, we may refuse to comply with your request.

What we may need from you

We may need to request certain information from you to help Us confirm your identity and your right to access the personal information we hold (or to exercise any of your other rights). This is a security measure to ensure that information is not disclosed to any person who does not have the right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We aim to respond to all legitimate requests within one month. Occasionally it may take Us longer than a month for example if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.